NHS investment on Identity Management (IdM) technologies in recent years has not been as significant as one would expect, especially given that this very much underpins organisation Information Governance capability.
Paul White asks is this the time Identity Management in health comes of age!
Not Something for Everyone?
After the course of 2 years, and visits to over 200 trusts to promote the merits of identity and access management solutions, I had to take a step back and reflect on why it was proving so difficult to secure commitment, at least to progress exploration of requirements beyond a mild level of interest in what identity management technology had to offer.
It’s was not like I was the only one trying to encourage trusts to consider the merits of IdM solutions, in 2005 Connecting for Health invested nearly £20m in a Novell Enterprise Wide Agreement that incorporated Novell’s Identity Vault product licences.
Despite the Novell EWA underwriting a proportion of the solution costs, wide-scale adoption of the Identity Vault solution did not occur. Although in this case it appeared to be a reluctance to readopt Novell technology, given the majority of trusts had some years back migrated to standardise on Microsoft technology. Rather than any lack of appreciation of the merits of IdM.
Although I had greater success in securing trust adoption of an alternative Microsoft technology based solution, even managing to establish market leading status in health, despite not having the same central funding support that Novell benefited from. Achieving mainstream adoption across health of any IdM technology platform has proved too great a challenge for any single provider.
The reality was, that despite the business requirement and emphasis provided through the Information Governance toolkit for Identity Management, and ICT appreciation of what IdM could achieve, qualifying this into a business case to secure funds and commitment proved to be too a challenging piece of work in its own right.
Business Requirements Re-evaluated
Identity – the name or essential characteristics that identify somebody or something, in the case of information governance for example a role or function a person performs for the business forms an essential characteristic of a member of staff.
Technologies that the NHS largely already has in place, e.g. networking and data management systems have an evolved capability to store a great level of detail about the professional characteristics of staff. For the best example of this open your Microsoft Outlook message client and take a look at the address book entry or outlook contact form.
Details in addition to Forename, Surname email address, can include, employee ID’s, department, job title, place of work, contact details, line manager to name just a few of the more critical information governance elements.
Yet when you examine almost any directory service within an organisation you will be lucky to find anything more than the just a user name and email address, take a look at the NHSmail address book, 90% of the entries contain only a very basic set of details.
This may be for legacy reasons, older technologies that have since been migrated or upgraded never had the capacity to store more than basic details, and subsequent upgrade projects never took to opportunity to expand the level of information stored beyond what came from the legacy system.
One has to ask why, given the importance placed on the need for improved information governance, was the opportunity to increase the level of staff identity information stored in the system not a key deliverable of any technology upgrade or refresh projects?
Should identity information be added? Simply yes, it is an imperative element of information governance, without it, organisations and users cannot validate access rights if they cannot easily identify individuals, their roles, their relationships to departments and others within the organisation hierarchy and structure.
Case for Identity Management, a no Brainer!
With Just a focus on users such as Information Asset Owners and Heads of Departmental, people who are much closer to the change management requirement that needs to be implemented, such as staff changing roles, promotions, leavers and new starters.
This overworked staffs are engaged in what is quite often a convoluted paper based administration process, for which many of my of the organisations I have met with, readily admitted to be untimely, error prone and consequently very unreliable approach.
Many went further in acknowledging that their network, back office and clinical systems contained a disjointed and wide variation of information on end users, a consequence of which results in compliance audits either almost impossible, or at least extremely costly to achieve.
Yet modern network technologies provide mechanisms for greatly simplifying the assignment of user access controls and permissions, reliably and automatically. Through features such as group or role based policies which utilise information such as location of work, staff job functions or roles to determine and implement permissions and access controls accordingly and automatically.
The benefits of utilising these technology features are numerous and extend well beyond just those of good information governance practice, for example, automation of user account creation and administration will free up valuable technical and systems administration resource. That instead can be put to more productive and useful work, such as developing systems rather than just running them.
Information governance risk and likelihood of issues occurring through inappropriate access or misadventure are also greatly reduced, with the provision of the added benefit of being able to demonstrate that a robust and reliable approach taken on access control.
However, one of the initial root causes of the current state of affairs, is the fact that the native “out-of-the-box” systems administration tools provided are just not user friendly, nor easily implemented in a way that only provides access to functions and features that are relevant, they tend administratively to take and all or nothing approach when in comes to granting of administrative rights.
Resolving the Challenge
All is not lost, specialist identity and access assurance solution providers are in abundant supply, a great many with mature, proven and highly flexible set of solutions that resolve this NHS information governance dilemma.
From providing a business and user friendly administration interfaces, complimented with reliable and timely workflow services, information asset owners and heads of department can be properly engaged in the process of user account administration and access rights authorisation and revocation.
A huge tick-in-the-box for NHS Information Governance Toolkit (IGT) requirement:
- 305 Operating and application information systems (under the organisation’s control) support appropriate access control functionality and documented and managed access rights are in place for all users of these systems, and a significant contribution towards helping organisations better achieve the IGT audit requirement:
- 206 There are appropriate confidentiality audit procedures to monitor access to confidential personal information.
The fact is, with a well-qualified set of user identity metrics readily accessible to all staff, then a significant number of IGT level 2 requirements become consequentially much easier, and subsequently more cost effectively achieved.
Furthermore, the current cost of administration and management of the various systems can be greatly reduced, as a result of Identity Assurance technology’s comprehensive interface capabilities that automate integration of multiple identity data sources, provisioning of user accounts and access rights management across all systems (network, business and clinical).
Providing organisations with the ability to demonstrate delivery of Quality, Innovation, Productivity and Prevention (QIPP) cost savings and efficiency gains, especially with regard to back office administration and management functions.
Having a solid identity management foundation is a information governance pre-requisite, it is possible to establish manual process and procedures to address this requirement, but not cost effectively nor efficiently, human frailties unfortunately prevail.
With modern Identity Assurance Solutions the human frailties are removed, to ensure a reliably, robust, timely and assured process for identity and access management assurance is established, delivering and consistent approach with staff identities on all systems to make assurance of rights and access activities easy to achieve.
The organisation also ends up with a better informed user community, with colleague information readily accessible through user friendly technologies such as the outlook address book, greatly enhancing opportunity for staff collaboration through increased understanding of colleague roles and functions, and most importantly, the opportunity for users to validate the appropriateness of information sharing.
Better yet, being able to demonstrate the reliable maintenance of identities and access rights for the entire organisation will secure the support of regulators, and most importantly the patients and public. A must if investment in electronic patient records and electronic health systems is to secure patient engagement and participation.